One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

One of the changelog entries for the latest version of the WordPress plugin WP Downgrade is: [Read more]